functions/auth.php

   1 <?php
   2
   3 /**
   4  * auth.php
   5  *
   6  * Copyright (c) 1999-2005 The SquirrelMail Project Team
   7  * Licensed under the GNU GPL. For full terms see the file COPYING.
   8  *
   9  * Contains functions used to do authentication.
  10  *
  11  * @version $Id$
  12  * @package squirrelmail
  13  */
  14
  15 /** Put in a safety net here, in case a naughty admin didn't run conf.pl when they upgraded */
  16
  17 if (! isset($smtp_auth_mech)) {
  18     $smtp_auth_mech = 'none';
  19 }
  20
  21 if (! isset($imap_auth_mech)) {
  22     $imap_auth_mech = 'login';
  23 }
  24
  25 if (! isset($use_imap_tls)) {
  26     $use_imap_tls = false;
  27 }
  28
  29 if (! isset($use_smtp_tls)) {
  30     $use_smtp_tls = false;
  31 }
  32
  33 /**
  34  * Check if user has previously logged in to the SquirrelMail session.  If user
  35  * has not logged in, execution will stop inside this function.
  36  *
  37  * @return int A positive value is returned if user has previously logged in
  38  * successfully.
  39  */
  40 function is_logged_in() {
  41
  42     if ( sqsession_is_registered('user_is_logged_in') ) {
  43         return;
  44     } else {
  45         global $PHP_SELF, $session_expired_post,
  46                $session_expired_location, $squirrelmail_language;
  47
  48         //  First we store some information in the new session to prevent
  49         //  information-loss.
  50         //
  51         $session_expired_post = $_POST;
  52         $session_expired_location = $PHP_SELF;
  53         if (!sqsession_is_registered('session_expired_post')) {
  54             sqsession_register($session_expired_post,'session_expired_post');
  55         }
  56         if (!sqsession_is_registered('session_expired_location')) {
  57             sqsession_register($session_expired_location,'session_expired_location');
  58         }
  59
  60         // signout page will deal with users who aren't logged
  61         // in on its own; don't show error here
  62         //
  63         if (strpos($PHP_SELF, 'signout.php') !== FALSE) {
  64            return;
  65         }
  66
  67         include_once( SM_PATH . 'functions/display_messages.php' );
  68         set_up_language($squirrelmail_language, true);
  69         logout_error( _("You must be logged in to access this page.") );
  70         exit;
  71     }
  72 }
  73
  74 /**
  75  * Given the challenge from the server, supply the response using cram-md5 (See
  76  * RFC 2195 for details)
  77  *
  78  * @param string $username User ID
  79  * @param string $password User password supplied by User
  80  * @param string $challenge The challenge supplied by the server
  81  * @return string The response to be sent to the IMAP server
  82  *
  83  */
  84 function cram_md5_response ($username,$password,$challenge) {
  85     $challenge=base64_decode($challenge);
  86     $hash=bin2hex(hmac_md5($challenge,$password));
  87     $response=base64_encode($username . " " . $hash) . "\r\n";
  88     return $response;
  89 }
  90
  91 /**
  92  * Return Digest-MD5 response.
  93  * Given the challenge from the server, calculate and return the
  94  * response-string for digest-md5 authentication.  (See RFC 2831 for more
  95  * details)
  96  *
  97  * @param string $username User ID
  98  * @param string $password User password supplied by User
  99  * @param string $challenge The challenge supplied by the server
 100  * @param string $service The service name, usually 'imap'; it is used to
 101  *   define the digest-uri.
 102  * @param string $host The host name, usually the server's FQDN; it is used to
 103  *   define the digest-uri.
 104  * @return string The response to be sent to the IMAP server
 105  */
 106 function digest_md5_response ($username,$password,$challenge,$service,$host) {
 107     $result=digest_md5_parse_challenge($challenge);
 108
 109     // verify server supports qop=auth
 110     // $qop = explode(",",$result['qop']);
 111     //if (!in_array("auth",$qop)) {
 112     // rfc2831: client MUST fail if no qop methods supported
 113     // return false;
 114     //}
 115     $cnonce = base64_encode(bin2hex(hmac_md5(microtime())));
 116     $ncount = "00000001";
 117
 118     /* This can be auth (authentication only), auth-int (integrity protection), or
 119        auth-conf (confidentiality protection).  Right now only auth is supported.
 120        DO NOT CHANGE THIS VALUE */
 121     $qop_value = "auth";
 122
 123     $digest_uri_value = $service . '/' . $host;
 124
 125     // build the $response_value
 126     //FIXME This will probably break badly if a server sends more than one realm
 127     $string_a1 = utf8_encode($username).":";
 128     $string_a1 .= utf8_encode($result['realm']).":";
 129     $string_a1 .= utf8_encode($password);
 130     $string_a1 = hmac_md5($string_a1);
 131     $A1 = $string_a1 . ":" . $result['nonce'] . ":" . $cnonce;
 132     $A1 = bin2hex(hmac_md5($A1));
 133     $A2 = "AUTHENTICATE:$digest_uri_value";
 134     // If qop is auth-int or auth-conf, A2 gets a little extra
 135     if ($qop_value != 'auth') {
 136         $A2 .= ':00000000000000000000000000000000';
 137     }
 138     $A2 = bin2hex(hmac_md5($A2));
 139
 140     $string_response = $result['nonce'] . ':' . $ncount . ':' . $cnonce . ':' . $qop_value;
 141     $response_value = bin2hex(hmac_md5($A1.":".$string_response.":".$A2));
 142
 143     $reply = 'charset=utf-8,username="' . $username . '",realm="' . $result["realm"] . '",';
 144     $reply .= 'nonce="' . $result['nonce'] . '",nc=' . $ncount . ',cnonce="' . $cnonce . '",';
 145     $reply .= "digest-uri=\"$digest_uri_value\",response=$response_value";
 146     $reply .= ',qop=' . $qop_value;
 147     $reply = base64_encode($reply);
 148     return $reply . "\r\n";
 149
 150 }
 151
 152 /**
 153  * Parse Digest-MD5 challenge.
 154  * This function parses the challenge sent during DIGEST-MD5 authentication and
 155  * returns an array. See the RFC for details on what's in the challenge string.
 156  *
 157  * @param string $challenge Digest-MD5 Challenge
 158  * @return array Digest-MD5 challenge decoded data
 159  */
 160 function digest_md5_parse_challenge($challenge) {
 161     $challenge=base64_decode($challenge);
 162     while (isset($challenge)) {
 163         if ($challenge{0} == ',') { // First char is a comma, must not be 1st time through loop
 164             $challenge=substr($challenge,1);
 165         }
 166         $key=explode('=',$challenge,2);
 167         $challenge=$key[1];
 168         $key=$key[0];
 169         if ($challenge{0} == '"') {
 170             // We're in a quoted value
 171             // Drop the first quote, since we don't care about it
 172             $challenge=substr($challenge,1);
 173             // Now explode() to the next quote, which is the end of our value
 174             $val=explode('"',$challenge,2);
 175             $challenge=$val[1]; // The rest of the challenge, work on it in next iteration of loop
 176             $value=explode(',',$val[0]);
 177             // Now, for those quoted values that are only 1 piece..
 178             if (sizeof($value) == 1) {
 179                 $value=$value[0];  // Convert to non-array
 180             }
 181         } else {
 182             // We're in a "simple" value - explode to next comma
 183             $val=explode(',',$challenge,2);
 184             if (isset($val[1])) {
 185                 $challenge=$val[1];
 186             } else {
 187                 unset($challenge);
 188             }
 189             $value=$val[0];
 190         }
 191         $parsed["$key"]=$value;
 192     } // End of while loop
 193     return $parsed;
 194 }
 195
 196 /**
 197  * Creates a HMAC digest that can be used for auth purposes
 198  * See RFCs 2104, 2617, 2831
 199  * Uses mhash() extension if available
 200  *
 201  * @param string $data Data to apply hash function to.
 202  * @param string $key Optional key, which, if supplied, will be used to
 203  * calculate data's HMAC.
 204  * @return string HMAC Digest string
 205  */
 206 function hmac_md5($data, $key='') {
 207     if (extension_loaded('mhash')) {
 208         if ($key== '') {
 209             $mhash=mhash(MHASH_MD5,$data);
 210         } else {
 211             $mhash=mhash(MHASH_MD5,$data,$key);
 212         }
 213         return $mhash;
 214     }
 215     if (!$key) {
 216         return pack('H*',md5($data));
 217     }
 218     $key = str_pad($key,64,chr(0x00));
 219     if (strlen($key) > 64) {
 220         $key = pack("H*",md5($key));
 221     }
 222     $k_ipad =  $key ^ str_repeat(chr(0x36), 64) ;
 223     $k_opad =  $key ^ str_repeat(chr(0x5c), 64) ;
 224     /* Heh, let's get recursive. */
 225     $hmac=hmac_md5($k_opad . pack("H*",md5($k_ipad . $data)) );
 226     return $hmac;
 227 }
 228
 229 /**
 230  * Fillin user and password based on SMTP auth settings.
 231  *
 232  * @param string $user Reference to SMTP username
 233  * @param string $pass Reference to SMTP password (unencrypted)
 234  */
 235 function get_smtp_user(&$user, &$pass) {
 236     global $username, $smtp_auth_mech,
 237            $smtp_sitewide_user, $smtp_sitewide_pass;
 238
 239     if ($smtp_auth_mech == 'none') {
 240         $user = '';
 241         $pass = '';
 242     } elseif ( isset($smtp_sitewide_user) && isset($smtp_sitewide_pass) ) {
 243         $user = $smtp_sitewide_user;
 244         $pass = $smtp_sitewide_pass;
 245     } else {
 246         global $key, $onetimepad;
 247         $user = $username;
 248         $pass = OneTimePadDecrypt($key, $onetimepad);
 249     }
 250 }
 251
 252 ?>